The present invention relates generally to communication networks, and more specifically, to a security protocol for use in a wireless network system.
Wireless communications has experienced tremendous growth over recent years. Wireless technology allows people to exchange information at virtual any location using pagers, cellular telephones, and other wireless communication products. Network users can move about almost without restriction and access LANs (Local Area Networks) from nearly anywhere. IEEE 802.11 is a wireless LAN standard that enables mobile stations to roam between Access Points (APs) attached to an Ethernet LAN. The IEEE 802.11 architecture consists of several components that interact to provide a wireless LAN that supports station mobility transparently to upper layers. This architecture uses fixed network APs with which mobile nodes can communicate. An AP is a station that provides access to a distribution system by providing distribution services in addition to acting as a station. As shown in FIG. 1 the network may include, for example, a plurality of remote users 20 connected to a wireless network, a plurality of wireless access points (AP1, AP2) connected to the wireless network and the Internet, and a server 22 (e.g., proxy or server of an Internet Service Provider (ISP)). The APs are used to access server 22 and provide communication between a local station in a wireless LAN and a remote station in another LAN.
With the added convenience of wireless access come heightened security concerns. When transmissions are broadcast over radio waves there is a need to employ additional mechanisms to protect the communications. The IEEE 802.11 standard for wireless LAN communications introduced the Wired Equivalent Privacy (WEP) protocol in an attempt to address these new problems and bring the security level of wireless systems similar to that of wired systems. The 802.11i draft standard specifies protocols for mutual authentication and privacy between a client and its parent AP. A parent AP must authenticate with a client to prevent a “man-in-the-middle” security attack. The client and AP share a session key which is used to establish WEP keys for the client. Privacy is accomplished by encrypting packets with a WEP key that is unique for each client-AP pair.
The current 802.11i standard does not define a fast re-authentication method. In addition, management frames are not authenticated and there are no cryptographic operations in critical paths. Full authentication occurs after each reassociation. Thus, stations need to complete a full authentication conversation before recovering connectivity. Furthermore, authentication and key management methods requiring public key operations can take several seconds to complete.
The current IEEE 802.11i draft standard is based on the IEEE 802.1X port-level authentication protocol. IEEE 802.1X is a standard (approved in June 2001) that enables authentication and key management for 802 LANs, including Ethernet, Token Ring, and FDDI. IEEE 802.1X utilizes Extensible Authentication Protocol (EAP) as its authentication framework. IEEE 802.11i has four primary components: a) supplicant; b) 802.1X authenticator;
c) authentication server (e.g., RADIUS server); and d) higher-layer authentication protocol. A supplicant is a security entity located at a client and an authenticator is a security entity located at an AP. Whenever a client associates with a parent AP, the client and AP must mutually authenticate and establish a session key, via the authentication server. The AP uses the session key for a client to securely establish encryption keys (i.e., WEP, AES) for the client. The current 802.11i draft standard requires a client to authenticate with its new parent AP via the authentication server and the higher-layer authentication protocol each time that it roams. The AP typically forwards client authentication requests to a central AAA server such as a RADIUS (Remote Access Dial-in User Service) server. IEEE 802.11i also provides a mechanism where an AAA server can establish a secret session key (or keys) for each AP/client pair.
Since the client must reauthenticate with its new parent AP each time that it roams, normal data communications cannot proceed until the authentication process has been completed. Full authentication typically takes a relatively long time because it requires the services of an AAA server, which may be centrally located on a remote subnet. Slow roaming prohibits some QoS applications in clients. For example, a lengthy authentication process disrupts time-sensitive applications, such as Voice-over IP (VoIP)).
The original IEEE 802.11i draft proposed a fast roaming Kerberos-based security mechanism to avoid slow roaming problems. Kerberos is a network authentication protocol. It is designed to provide authentication for client/server applications by using secret-key encryption. The Kerberos authentication system uses a series of encrypted messages to prove to a verifier that a client is running on behalf of a particular user. In Kerberos, the user's session key is derived from a password. Each client and application server shares a session key with the authentication server. Whenever a client authenticates itself to a new verifier, it relies on the authentication server to generate a new encryption key and distribute it securely to both parties using the session keys. A Kerberos ticket is used to distribute the key to the verifier. The Kerberos ticket is a certificate issued by an authentication server and encrypted using the application server key. The ticket is sent to the client who forwards it to the verifier in the application server as part of the application request. Because the ticket is encrypted in the application server key, known only by the authentication server and intended verifier, it is not possible for the client to modify the ticket without detection.
The proposed solution required a client to initially obtain a Kerberos ticket for a network access service provided by the AP. The Kerberos ticket was used for fast, mutual reauthentication each time the client roamed to a new parent AP. The proposal was eventually dropped from the IEEE 802.11 draft because it had a number of significant drawbacks. One drawback was that it required an 802.11 customer to install a Kerberos security infrastructure. Furthermore, security was weakened because all APs had to share a secret key to avoid accessing a Kerberos security server each time that a client roamed.
Roaming also requires operational context information to be securely transferred from an old parent AP to a new parent AP. Context information includes, for example, QoS state, authentication state, group membership, and IP/MAC address bindings. A draft standard Inter-Access Point Protocol (IAPP) has been developed by the IEEE 802.11f working group for transferring context information. When a client roams, the new parent AP sends a Move-Notify message to the old AP and the old AP returns context information in a corresponding Move-Response message. This draft standard, however, does not address the issue of how to transfer context securely.
Another issue with 802.11 networks is sidestream transmissions. In an infrastructure network, a client cannot send a frame directly to another client. Instead, all client traffic is routed through a parent AP. The current IEEE 802.11e draft standard permits sidestream transmissions where a client associated with an AP can send frames directly to another client associated with the same AP, without routing the frames through the AP. The IEEE 802.11 draft version (e) specifies a sidestream setup protocol. This requires the first client to send a Location Discover request to its parent AP to inquire if a second client can participate in a sidestream session. The AP then returns a Location Discover response to the first client. If a sidestream session is possible, the first client sends a Direct Communication request to the second client. The second client then returns a Direct Communication response to the first client. A method does not currently exist, however, for mutual authentication and privacy for sidestream transmissions. The use of sidestream transmissions is therefore severely restricted.